tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Lillehaug <>
Subject RE: Responses of two different requests concatinated
Date Wed, 07 Aug 2013 15:25:04 GMT
Thank you both for your replies :)
I only have a screenshot of how it looked to the user, so I don't know whether the headers
was included. 

I have given up trying to investigate further, so I guess the only thing to do is to activate
RECYCLE_FACADES and hope for the best.

-----Original Message-----
From: Konstantin Kolinko [] 
Sent: Wednesday, August 07, 2013 12:35 PM
To: Tomcat Users List
Subject: Re: Responses of two different requests concatinated

2013/8/7 Marvin Lillehaug <>:
> Hi!
> We recently got an error report from a user of one of the systems we have developed,
showing that the response from a different request had been appended to the original response.
> The original response was the front page of a site, generated with jsp, and the appended
response was a excel file generated a few seconds earlier.
> Our current hypothesis is that some buffer in either httpd(2.2.22) or Tomcat (7.0.35)
has been recycled.
> Httpd is connected to Tomcat using http proxypass.
> I have started trying to reproduce the problem, but thought I should try the mailing
lists of both httpd and tomcat before continuing.
> What I have done thus far is: concatenating html and excel to verify that it is possible
to open and looks the way the user experienced; building a custom version of Tomcat that uses
the same Processor for each request and configured to use only one thread.
> This seems a bit similar to the issue described in 
> (CVE-2011-1475)
Some results when googleling suggests that this could happen when jsp tags are not coded properly,
but I have not found any such code in our applications.
> Does anyone have any ideas or suggestions?

Usual culprit is a bug in web application that uses request/response objects outside of their
life cycle.

The first step that I'd recommend is to set org.apache.catalina.connector.RECYCLE_FACADES=true
for better security and to ease detection of such misuse.


There is also exists a known issue in Java ImageIO API,

There also exists CVE-2013-2071 (fixed in 7.0.40).

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message